CN108319851B - Abnormal behavior active detection method, equipment and storage medium - Google Patents

Abnormal behavior active detection method, equipment and storage medium Download PDF

Info

Publication number
CN108319851B
CN108319851B CN201711318769.8A CN201711318769A CN108319851B CN 108319851 B CN108319851 B CN 108319851B CN 201711318769 A CN201711318769 A CN 201711318769A CN 108319851 B CN108319851 B CN 108319851B
Authority
CN
China
Prior art keywords
behavior
data
abnormal
sample data
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711318769.8A
Other languages
Chinese (zh)
Other versions
CN108319851A (en
Inventor
张欣海
张博
郭晓雷
徐海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Electronic and Information Technology of CETC
Original Assignee
China Academy of Electronic and Information Technology of CETC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Electronic and Information Technology of CETC filed Critical China Academy of Electronic and Information Technology of CETC
Priority to CN201711318769.8A priority Critical patent/CN108319851B/en
Publication of CN108319851A publication Critical patent/CN108319851A/en
Application granted granted Critical
Publication of CN108319851B publication Critical patent/CN108319851B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2413Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
    • G06F18/24133Distances to prototypes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses an abnormal behavior active detection method, equipment and a storage medium, wherein extracted searched data corresponding to abnormal behaviors are used as initial sample central point data, and then abnormal behavior data close to the initial sample central point data is obtained after behavior sample data is classified and trained based on the initial sample central point data, so that early warning and real-time monitoring of abnormal behaviors of a user are actively realized.

Description

Abnormal behavior active detection method, equipment and storage medium
Technical Field
The invention relates to the field of information system application data safety protection, in particular to an abnormal behavior active detection method, equipment and a storage medium.
Background
Along with the informatization step forward to large integration, high sharing and deep application, the types and the quantity of information resources are rapidly increased, the information concentration degree and the sensitivity are obviously improved, the information application and sharing modes are increasingly complex, and the information security work faces great challenges; in recent years, the leakage of personal information of citizens is frequently prohibited and sometimes exposed, which becomes a hot problem of media attention, causes various frying, causes adverse social influence, seriously influences the image of government organs and damages the informatization development result of the government; although various levels of government agencies have continuously beaten and improved and some technical measures are taken, the problem that personnel in the government agencies leak the personal information of the citizens still presents a high situation, and the internal information leakage becomes a key work of the current network information security.
In order to strengthen the application safety audit work foundation of an information system, prevent internal sensitive information from leaking and avoid the situations of 'no tracking, no source finding and no evidence getting', all levels of government agencies have continuously developed safety audit work based on application logs, but the existing application log audit still mainly adopts a statistical method, is seriously 'backwards checking' and cannot effectively solve the early warning and real-time monitoring of abnormal application use behaviors of users.
Disclosure of Invention
The invention provides an abnormal behavior active detection method, equipment and a storage medium, which are used for solving the problem that the prior art cannot carry out early warning and real-time monitoring on abnormal behaviors of a user.
According to an aspect of the present invention, there is provided an active abnormal behavior detection method, including:
acquiring behavior sample data;
determining abnormal behaviors to be detected;
according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data;
performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
and acquiring abnormal behavior data according to the behavior sample data sets of different categories.
Optionally, the obtaining abnormal behavior data according to the behavior sample data sets of different categories includes:
acquiring a subclass behavior sample data set containing the initial sample central point data according to the behavior sample data sets of different classes;
and acquiring the abnormal behavior data according to the subclass behavior sample data set.
Optionally, the obtaining the abnormal behavior data according to the subclass behavior sample data set includes:
and acquiring the behavior sample data with the distance not more than K from the central point of the initial sample according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0.
Optionally, before performing classification training on the behavior sample data and the initial sample center point data to obtain behavior sample data sets of different categories, the method includes:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
Optionally, the types of the behavior sample data include: normal behavior data and the abnormal behavior data.
According to a second aspect of the present invention, there is provided an active abnormal behavior detection apparatus, the apparatus comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the program:
acquiring behavior sample data;
determining abnormal behaviors to be detected;
according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data;
performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
and acquiring abnormal behavior data according to the behavior sample data sets of different categories.
Optionally, the obtaining of abnormal behavior data according to the behavior sample data sets of different categories includes, when the processor executes the program, implementing the following steps:
acquiring a subclass behavior sample data set containing the initial sample central point data according to the behavior sample data sets of different classes;
and acquiring the abnormal behavior data according to the subclass behavior sample data set.
Optionally, the abnormal behavior data is obtained according to the subclass behavior sample data set, and the processor implements the following steps when executing the program:
and acquiring the behavior sample data with the distance not more than K from the central point of the initial sample according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0.
Optionally, before performing classification training on the behavior sample data and the initial sample center point data to obtain behavior sample data sets of different types, the processor implements the following steps when executing the program:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
According to a third aspect of the present invention, there is provided a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the following steps of the active abnormal behavior detection method:
acquiring behavior sample data;
determining abnormal behaviors to be detected;
according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data;
performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
and acquiring abnormal behavior data according to the behavior sample data sets of different categories.
The invention has the beneficial effects that:
the obtained data corresponding to the abnormal behaviors are extracted and used as initial sample central point data, and then the abnormal behavior data close to the initial sample central point data is obtained after the behavior sample data is classified and trained based on the initial sample central point data, so that early warning and real-time monitoring of the abnormal behaviors of the user are actively achieved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flowchart of an active abnormal behavior detection method according to the first, third and fourth embodiments of the present invention;
FIG. 2 is a flowchart of an active abnormal behavior detection method according to a second embodiment of the present invention;
FIG. 3 is a subclass containing the center point of the initial sample obtained after cluster computation according to the second embodiment of the present invention;
fig. 4 is an intersection of the extraction results of behavior sample data in the next half year of 2016 and the last half year of 2017 in the second embodiment.
Fig. 5 is a schematic structural diagram of an active abnormal behavior detection apparatus according to a third embodiment of the present invention.
In the figure: 1-memory, 2-processor.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Referring to fig. 1, in a first embodiment of the present invention, a method for actively detecting abnormal behavior is provided, which includes the following steps:
s101: acquiring behavior sample data; the types of the behavior sample data include: normal behavior data and the abnormal behavior data.
S102: determining abnormal behaviors to be detected;
s103: according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data;
s104: performing classification training on the behavior sample data and the initial sample central point data to obtain behavior sample data sets of different categories (namely, the behavior sample data sets are sets formed by behavior sample data of the same category);
s105: and acquiring abnormal behavior data according to the behavior sample data sets of different categories.
In an alternative embodiment of the present invention, step S105: acquiring abnormal behavior data according to the behavior sample data sets of different categories comprises the following steps:
acquiring a subclass behavior sample data set containing the initial sample central point data according to the behavior sample data sets of different classes;
and acquiring the abnormal behavior data according to the subclass behavior sample data set.
The obtaining the abnormal behavior data according to the subclass behavior sample data set comprises:
and acquiring the behavior sample data with the distance not more than K from the central point of the initial sample according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0. That is to say, the behavior sample data whose distance from the central point of the initial sample does not exceed K is abnormal behavior data, and the user corresponding to the abnormal behavior data is a user with abnormal behavior.
Optionally, before performing classification training on the behavior sample data and the initial sample center point data to obtain behavior sample data sets of different categories, the method includes:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
In a second embodiment of the present invention, please refer to fig. 2, which provides an active abnormal behavior detection method, including the following steps:
s200: and extracting user behavior characteristic attributes, wherein N is a natural number, and 28 are extracted from N, namely 28 user behavior characteristic attributes such as total user access amount, user type, user gender, user age range and the like, are extracted from massive application audit logs based on the searched abnormal operation behaviors of the user by using a manual means.
S201: acquiring behavior sample data; in an optional embodiment of the present invention, the types of the behavior sample data include normal behavior data and abnormal behavior data extracted within a time period (such as 2016 for the next half year and 2017 for the last half year).
S202: determining abnormal behaviors to be detected, for example, detecting users with data stealing behaviors or users inquiring female behaviors of young people in large quantities, and determining user behavior characteristic attributes required to be used according to the abnormal behaviors of the data stealing behaviors.
S203: according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data; if the user is detected to have the data stealing behavior, on this basis, the data of the user who has been checked to have the data stealing behavior is used as the initial sample center point data, a plurality of initial sample center point data can be selected according to the requirement, and 8 initial sample center point data are selected in this embodiment.
S204: and performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets (namely, the behavior sample data sets are sets formed by the same types of behavior sample data). In the embodiment, an MADlib-Kmeans clustering algorithm is adopted to train the behavior sample data sets of the next half year in 2016 and the last half year in 2017 and the 8 initial sample central point data determined in step S203, a distance function is adopted in clustering calculation as an euclidean distance square, and the maximum number of executed iterations is set to 50; after training, the behavior sample data converged at 38 times.
In an optional embodiment of the present invention, before performing the classification training on the behavior sample data and the initial sample center point data in step S204 to obtain behavior sample data sets of different types, normalization processing is performed on the behavior sample data and the initial sample center point data. Firstly, performing integral treatment on the behavior sample data of a proportion class and the initial sample central point data, if the ratio of the number of the behavior samples of the query data stealing behavior is 0.62, performing integral treatment on the behavior sample data and the initial sample central point data, and then performing normalization pretreatment on the behavior sample data and the initial sample central point data by using a 0 mean value normalization method, namely normalizing the behavior sample data and the initial sample central point data into a data set with a mean value of 0 and a standard deviation of 1, wherein the normalization formula is as follows:
z=(x-μ)/σ
wherein x is an original value, μ is an average value, σ is a standard deviation, and z is a normalized value; when the original value is lower than the average value, z is a negative number, and vice versa.
S205: and acquiring abnormal behavior data according to the behavior sample data sets of different categories. The method comprises the following steps:
and obtaining a subclass behavior sample data set containing the initial sample central point data according to the behavior sample data sets of different classes, referring to fig. 3, wherein the subclass behavior sample data set with user _ name of zhao in fig. 3 is the initial sample central point data. Acquiring the abnormal behavior data according to the subclass behavior sample data set, wherein the method comprises the following steps:
and performing machine self-learning according to the subclass behavior sample data set, acquiring the behavior sample data with the distance from the central point of the initial sample not more than K, and obtaining the abnormal behavior data, wherein K is more than 0. That is to say, the behavior sample data whose distance from the central point of the initial sample does not exceed K is abnormal behavior data, and the user corresponding to the abnormal behavior data is a user with abnormal behavior. After the behavior sample data clustering calculation is performed in step S104, the 8 initial sample center point data determined in step S203 are distributed in 5 sub-classes (1 st class, 1 nd class, 2 rd class, 1 rd class, 3 th class, and 1 st class), and sample data which is closest to the initial sample center point data and does not exceed 0.5 (that is, K is not greater than 0.5) is extracted:
(1)2016, extracting 151 samples in the next half year;
(2)2017 extracting 147 samples from the first half year;
(3) calculating the intersection of the sample extraction results of the next half year of 2016 and the last half year of 2017 to obtain sample data with 2 intersection behaviors, as shown in FIG. 4;
s206: and outputting a detection result, focusing attention, analyzing and verifying the behavior sample data near the central point data of the 2 intersection samples and the 8 initial samples, finding that more than 90% of the behavior sample data near the central point data of the initial samples have obvious abnormal behaviors through verification, outputting the detection result and early warning. By iterating and analyzing the verification result, the accuracy of the method can be continuously improved, and therefore the problems of early warning and real-time monitoring of abnormal behaviors of the user based on application log audit are effectively solved.
In a third embodiment of the present invention, an active abnormal behavior detection apparatus is provided, referring to fig. 5, the apparatus includes a memory 1, a processor 2, and a computer program stored on the memory 1 and executable on the processor 2, and the processor 2 executes the program to implement the following steps:
s101: acquiring behavior sample data;
s102: determining abnormal behaviors to be detected;
s103: according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data;
s104: performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
s105: and acquiring abnormal behavior data according to the behavior sample data sets of different categories.
Before executing step S101, the processor 2 further implements the following steps when executing the program:
and extracting user behavior characteristic attributes, extracting N types of user behavior characteristic attributes from massive application audit logs based on the searched abnormal operation behaviors of the user, wherein N is a natural number, and N is 28, namely extracting 28 types of user behavior characteristic attributes such as total user access amount, user type, user gender, user age range and the like, and continuously verifying and continuously improving sample data through subsequent machine self-learning result output, wherein the user behavior characteristic attributes are continuously rich and improved.
Optionally, the abnormal behavior data is obtained according to the behavior sample data sets of different categories, and the processor 2 implements the following steps when executing the program:
acquiring a subclass behavior sample data set containing the initial sample central point data according to the behavior sample data sets of different classes;
and acquiring the abnormal behavior data according to the subclass behavior sample data set.
Optionally, the abnormal behavior data is obtained according to the subclass behavior sample data set, and the processor 2 implements the following steps when executing the program:
and acquiring the behavior sample data with the distance not more than K from the central point of the initial sample according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0.
Optionally, before performing classification training on the behavior sample data and the initial sample center point data to obtain behavior sample data sets of different types, the processor 2 implements the following steps when executing the program:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
Optionally, after obtaining the abnormal behavior data, the processor 2 implements, when executing the program, the steps of:
and outputting a detection result, outputting behavior sample data with obvious abnormal behaviors nearby the initial sample central point data, outputting the detection result and performing early warning. The problems of early warning and real-time monitoring of abnormal behaviors of the user are effectively solved.
In a fourth embodiment of the present invention, a computer-readable storage medium is provided, on which a computer program is stored, which program, when being executed by a processor 2, realizes the following steps of the active abnormal behavior detection method:
s101: acquiring behavior sample data;
s102: determining abnormal behaviors to be detected;
s103: according to the abnormal behavior, using the searched data corresponding to the abnormal behavior as initial sample central point data;
s104: performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
s105: and acquiring abnormal behavior data according to the behavior sample data sets of different categories.
Before executing step S101, the program further implements the following steps when executed by the processor 2:
and extracting user behavior characteristic attributes, extracting N types of user behavior characteristic attributes from massive application audit logs based on the searched abnormal operation behaviors of the user, wherein N is a natural number, and N is 28, namely extracting 28 types of user behavior characteristic attributes such as total user access amount, user type, user gender, user age range and the like, and continuously verifying and continuously improving sample data through subsequent machine self-learning result output, wherein the user behavior characteristic attributes are continuously rich and improved.
In an alternative embodiment, said obtaining abnormal behavior data from said different classes of behavior sample data sets, when executed by the processor 2, performs the following steps:
acquiring a subclass behavior sample data set containing the initial sample central point data according to the behavior sample data sets of different classes;
and acquiring the abnormal behavior data according to the subclass behavior sample data set.
Optionally, the obtaining the abnormal behavior data according to the subclass behavior sample data set, and when being executed by the processor 2, the program implements the following steps:
and acquiring the behavior sample data, the distance between which and the central point of the initial sample is not more than K, according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0, namely the behavior sample data, the distance between which and the central point of the initial sample is not more than K, is the abnormal behavior data, and the user corresponding to the abnormal behavior data is the user with the abnormal behavior.
Optionally, before performing classification training on the behavior sample data and the initial sample center point data to obtain behavior sample data sets of different types, when executed by the processor 2, the program implements the following steps:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
Optionally, after obtaining the abnormal behavior data, the program when executed by the processor 2 implements the following steps:
and outputting a detection result, outputting behavior sample data with obvious abnormal behaviors nearby the initial sample central point data, outputting the detection result and performing early warning. The problems of early warning and real-time monitoring of abnormal behaviors of the user are effectively solved.
Obviously, the invention obtains the abnormal behavior data close to the initial sample central point data after classifying and training the behavior sample data based on the initial sample central point data by taking the searched data corresponding to the abnormal behavior as the initial sample central point data, thereby realizing the early warning and real-time monitoring of the abnormal behavior of the user actively.
The storage medium in the present invention may include: ROM, RAM, magnetic or optical disks, and the like.
In short, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. An active abnormal behavior detection method, comprising:
acquiring behavior sample data;
determining abnormal behaviors to be detected;
according to the abnormal behaviors, using the searched data corresponding to the abnormal behaviors as initial sample central point data, wherein the initial sample central point data is multiple;
performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
acquiring abnormal behavior data according to the behavior sample data sets of different categories;
acquiring abnormal behavior data according to the behavior sample data sets of different categories comprises the following steps:
acquiring subclass behavior sample data sets containing the initial sample central point data in multiple sections of different time periods according to the behavior sample data sets of different classes;
acquiring the abnormal behavior data according to the subclass behavior sample data set, wherein the method comprises the following steps:
calculating the intersection of the extracted results of the subclass behavior sample data sets in a plurality of sections of different time periods;
and determining abnormal behaviors based on the sample data of the intersection and the initial sample central point data, and outputting a detection result.
2. The active abnormal behavior detection method of claim 1, wherein the obtaining the abnormal behavior data according to the subclass behavior sample data set comprises:
and acquiring the behavior sample data with the distance not more than K from the central point of the initial sample according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0.
3. The active abnormal behavior detection method according to claim 1, wherein before performing classification training on the behavior sample data and the initial sample midpoint data to obtain different types of behavior sample data sets, the method comprises:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
4. The abnormal behavior initiative detection method of claim 1, wherein the types of behavior sample data include: normal behavior data and the abnormal behavior data.
5. An active abnormal behavior detection device, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to perform the steps of:
acquiring behavior sample data;
determining abnormal behaviors to be detected;
according to the abnormal behaviors, using the searched data corresponding to the abnormal behaviors as initial sample central point data, wherein the initial sample central point data is multiple;
performing classification training on the behavior sample data and the initial sample central point data to obtain different types of behavior sample data sets;
acquiring abnormal behavior data according to the behavior sample data sets of different categories;
and acquiring abnormal behavior data according to the behavior sample data sets of different types, wherein the processor executes the program and realizes the following steps:
acquiring subclass behavior sample data sets containing the initial sample central point data in multiple sections of different time periods according to the behavior sample data sets of different classes;
acquiring the abnormal behavior data according to the subclass behavior sample data set, wherein the method comprises the following steps:
calculating the intersection of the extracted results of the subclass behavior sample data sets in a plurality of sections of different time periods;
and determining abnormal behaviors based on the sample data of the intersection and the initial sample central point data, and outputting a detection result.
6. The active abnormal-behavior detection apparatus of claim 5, wherein the processor, when executing the program, implements the following steps to obtain the abnormal behavior data according to the subclass behavior sample data set:
and acquiring the behavior sample data with the distance not more than K from the central point of the initial sample according to the subclass behavior sample data set to obtain the abnormal behavior data, wherein K is more than 0.
7. The active anomalous behavior detection device of claim 5, wherein prior to performing the classification training on the behavior sample data and the initial sample midpoint data to obtain different classes of behavior sample data sets, said processor when executing said program performs the following steps:
and carrying out normalization processing on the behavior sample data and the initial sample center point data.
8. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 4.
CN201711318769.8A 2017-12-12 2017-12-12 Abnormal behavior active detection method, equipment and storage medium Active CN108319851B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711318769.8A CN108319851B (en) 2017-12-12 2017-12-12 Abnormal behavior active detection method, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711318769.8A CN108319851B (en) 2017-12-12 2017-12-12 Abnormal behavior active detection method, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN108319851A CN108319851A (en) 2018-07-24
CN108319851B true CN108319851B (en) 2022-03-11

Family

ID=62892146

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711318769.8A Active CN108319851B (en) 2017-12-12 2017-12-12 Abnormal behavior active detection method, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN108319851B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103138986A (en) * 2013-01-09 2013-06-05 天津大学 Website abnormal access behavior detection method based on visual analysis
US20130283378A1 (en) * 2012-04-24 2013-10-24 Behaviometrics Ab System and method for distinguishing human swipe input sequence behavior and using a confidence value on a score to detect fraudsters
CN105224872A (en) * 2015-09-30 2016-01-06 河南科技大学 A kind of user's anomaly detection method based on neural network clustering
CN105553998A (en) * 2015-12-23 2016-05-04 中国电子科技集团公司第三十研究所 Network attack abnormality detection method
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN107528832A (en) * 2017-08-04 2017-12-29 北京中晟信达科技有限公司 Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101980480B (en) * 2010-11-04 2012-12-05 西安电子科技大学 Semi-supervised anomaly intrusion detection method
CN103078856B (en) * 2012-12-29 2015-04-22 大连环宇移动科技有限公司 Method for detecting and filtering application layer DDoS (Distributed Denial of Service) attack on basis of access marking
CN106101102B (en) * 2016-06-15 2019-07-26 华东师范大学 A kind of exception flow of network detection method based on PAM clustering algorithm

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130283378A1 (en) * 2012-04-24 2013-10-24 Behaviometrics Ab System and method for distinguishing human swipe input sequence behavior and using a confidence value on a score to detect fraudsters
CN103138986A (en) * 2013-01-09 2013-06-05 天津大学 Website abnormal access behavior detection method based on visual analysis
CN105224872A (en) * 2015-09-30 2016-01-06 河南科技大学 A kind of user's anomaly detection method based on neural network clustering
CN105553998A (en) * 2015-12-23 2016-05-04 中国电子科技集团公司第三十研究所 Network attack abnormality detection method
CN106778259A (en) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 A kind of abnormal behaviour based on big data machine learning finds method and system
CN107528832A (en) * 2017-08-04 2017-12-29 北京中晟信达科技有限公司 Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record

Also Published As

Publication number Publication date
CN108319851A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
CN107633265B (en) Data processing method and device for optimizing credit evaluation model
US10692019B2 (en) Failure feedback system for enhancing machine learning accuracy by synthetic data generation
CN112860841B (en) Text emotion analysis method, device, equipment and storage medium
US20170018030A1 (en) System and Method for Determining Credit Worthiness of a User
US10452725B2 (en) Web page recognizing method and apparatus
CN109145030B (en) Abnormal data access detection method and device
US11721229B2 (en) Question correction method, device, electronic equipment and storage medium for oral calculation questions
CN113704082A (en) Model evaluation method and device, electronic equipment and storage medium
CN108509561B (en) Post recruitment data screening method and system based on machine learning and storage medium
Domin et al. Improving plagiarism detection in coding assignments by dynamic removal of common ground
Pratiwi et al. Implementation of rumor detection on twitter using the svm classification method
Oh et al. Advanced insider threat detection model to apply periodic work atmosphere
CN116483733A (en) Multi-dimensional artificial intelligence product evaluation method and device
Arefi et al. Assessing post deletion in Sina Weibo: Multi-modal classification of hot topics
Mollas et al. Altruist: Argumentative explanations through local interpretations of predictive models
Kim et al. Evaluating surprise adequacy for question answering
CN114285587A (en) Domain name identification method and device and domain name classification model acquisition method and device
CN108319851B (en) Abnormal behavior active detection method, equipment and storage medium
CN116881395A (en) Public opinion information detection method and device
Liu et al. An illegal billboard advertisement detection framework based on machine learning
Mannan et al. An Empirical study on theories of sentiment analysis in relation to fake news detection
CN105824871B (en) A kind of picture detection method and equipment
CN111209567B (en) Method and device for judging perceptibility of improving robustness of detection model
CN114510720A (en) Android malicious software classification method based on feature fusion and NLP technology
CN109409127B (en) Method and device for generating network data security policy and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant